GitHub Actions Day 22: Automerge Security Updates

December 22, 2019

This is day 22 of my GitHub Actions Advent Calendar. If you want to see the whole list of tips as they're published, see the index.

When GitHub started building GitHub Actions, it wasn't conceived of a just a CI/CD system -- it was meant to automate common tasks in your repository. Of course building and releasing are two of the most common tasks, but I love breaking out of the build and release pipeline and thinking about how GitHub Actions can help me manage other parts of my application. For example: security.

GitHub provides automated security alerts for your repositories. When you turn these on, GitHub will periodically scan your repository and examine the dependencies that you use. So if you're building a Node application, GitHub will look at the npm packages that you use and see if any of them have security vulnerabilities.

When it finds a vulnerability, it can open a pull request with the fix - updating that package to a new version that has fixed the problem.

Dependabot

Of course, when this pull request is opened, it will run the pull request validation build that you've configured in your repository. So you'll quickly know that the security update pull request works and that all your tests pass.

But if you have good test coverage... why stop there? Why not automate this entire process and go ahead and merge the security update when your tests pass?

To do this, we can take advantage of github-script. We can use the github-script action to work with the Octokit API and merge the pull request.

In this workflow, we'll run our standard build job that runs our build and test on Node 8, 10 and 12. Then we'll add an automerge job that depends on the build job. If it succeeds, then the automerge job will run.

The automerge job has a conditional - it will ensure that the pull request is targeting the master branch, and that the dependabot[bot] user opened the pull request (ie, the PR was opened as part of a GitHub security update).

Now when a GitHub security update is opened, and the build runs and tests pass, it will be merged directly into the master branch.

Dependabot Automerge

I hope that this gives you inspiration on ways that you can simplify your work by automating manual tasks in your repository -- like dealing with security updates -- and that you leverage GitHub Actions and github-script to help with that automation.